Emma Kitcher, Data Protection Officer
Emma Kitcher, Data Protection Officer
Annual review – no changes.
Included Holiday Club with the policy
INTRODUCTION
QUICK REFERENCE POINTS
KEY DEFINITIONS
SCOPE
KEY LEGISLATION / FRAMEWORK
WHAT IS PERSONAL CONFIDENTIAL INFORMATION?
THE DUTY OF CONFIDENTIALITY / NO SURPISES
CONSIDERATIONS WHEN SHARING
ROUTINE SHARING WITH THIRD PARTIES
MAINTAINING A CONFIDENTIAL ENVIRONMENT
TELEPHONE ENQUIRIES
DISCLOSURE TO OTHER EMPLOYEES
CARELESSNESS
INTERNAL AND EXTERNAL POST
EMAILING
PAPER RECORDS
ABUSE OF PRIVILEGE
APPLICATION AND AUDIT
APPENDIX A: NON-STANDARD INFORMATION SHARING TEMPLATE
APPENDIX B: TRANSFERS OUTSIDE OF THE UK
APPENDIX D: PROCESSOR CONTRACT REVIEW TEMPLATE
Privacy is a concept that emerges from a complex area of law. The three key elements of privacy arise from the Common Law Duty of Confidence / Tort of Misuse of Private Information, Article 8 European Convention of Human Rights (Right to Privacy) and the Data Protection Act 2018 / General Data Protection Regulations (GDPR). This protocol intends to support staff in navigating this framework and encourage lawful, secure and appropriate information sharing.
- Personal Confidential Information can include identifiers (like name, email address, but can also be information without identifiers
- If you are given information that is expected to be kept private, it creates a duty to maintain confidentiality
- Breaching that duty would be to disclose in an unexpected or unauthorised way
- Individuals can then bring legal action as a result of damage or distress caused
- There are circumstances where that duty can be lawfully breached (like public interest, court orders and consent)
- Routine information sharing should be covered by specific contracts or agreements
- Ad hoc information sharing should involve careful consideration and support from key roles
- Do not be pressured or tricked into giving out information – be aware of the rules
- There are ways in which you can reduce the risk when dealing with paper records, working on the telephone, or sending emails
This term is intended to cover information captured by the Data Protection Act 2018 / GDPR (identifiable information about the living), information covered by the Common Law Duty of Confidence / Tort of Misuse of Private Information and finally, information covered by Article 8 European Convention for Human Rights.
See Information Governance Policy for key roles.
All staff, whether management or administrative, who create, receive and use Personal Confidential Information have responsibilities to ensure lawful, secure and appropriate information sharing. Employees have a contractual and legal obligation to read and comply with all company policies and to attend mandatory training to support the appropriate management of information.
The privacy and confidentiality owed to families, employees, visitors and customers is paramount to maintaining strong relationships with our stakeholders and protecting both those individuals and our reputation.
This legislation protects Personal Data (information which identifies or could identify a living individual).
This common law protects information which a ‘reasonable person’ would expect to remain private. This might include financial / contract information or information about the deceased.
This inherent human right determines that citizens have a right to have their information and family life protected from arbitrary interference from the state – i.e. public bodies or those working on behalf of public bodies.
- This term is intended to cover information captured by the Data Protection Act 2018 / GDPR (identifiable information about the living), information covered by the Common Law Duty of Confidence / Tort of Misuse of Private Information and finally, information covered by Article 8 European Convention for Human Rights.
- Personal Confidential Information may be held on paper, USB sticks, computer file or printout, laptops, tablets, mobile phones or even heard by word of mouth or telephone.
- Personal Confidential Information includes information that contains the following identifiers
- Name
- Home address
- Email address
- National insurance / NHS Number
- Passport number
- IP address
- Digital identity
- Date of birth
- Birthplace
- Login, screen name, nickname, or handle
- Telephone number
- Country, county, postcode
- Age (particularly if extreme i.e. very old)
- Gender or race
- Name of the school they attend or workplace
- Grades, salary, or job position
- Criminal record
- Health records
- Web Cookie / IP address
It is important to note that the absence of identifiers does not mean that information is not Personal Confidential Information.
Example
An employee spreadsheet is produced that lists salaries against each staff member in each department but does not include their name or job title. It shows that there are 20 people in the sales team and their salaries range from £18,000 to £40,000. However, the Equality and Diversity Team only has two employees. The Lead and the Assistant. It would be clear which salary related to which employee in this scenario.
- Some information is more sensitive and requires additional care and requires a specific lawful basis to handle it (Special Category Data). This is because, if accessed by an unauthorised individual, this type of information has the potential to cause damage or distress to the data subject.
- Racial or ethnic origin
- Political opinions
- Religious or similar beliefs
- Trade union membership
- Political opinions
- Physical or mental health or condition
- Sexual life
- Commission (actual or alleged) or proceedings for an offence
- Biometrics such as fingerprints
- Non-person-identifiable information can also be considered confidential. For example, confidential business information such as financial reports; and commercially sensitive information such as contracts, trade secrets, procurement information. This information should also be treated with care.
- In order for a duty of confidentiality to exist, an individual has disclosed information to you (or it was obtained from a third party) that a reasonable person would expect to remain confidential.
- Now that a duty exists, you can be held legally accountable for ‘breaching’ that duty.
- This means that if you disclose that information in an ‘unauthorised’ or ‘unexpected’ way, the individual can bring legal action for the damage caused as a result.
- There are times when you can legally ‘set aside’ or breach your duty of confidentiality for example;
- when the individual gives their consent
- or it is in the public interest
- or to protect someone from harm
- Or the court has ordered it
- Or the individual reasonably expects the disclosure
- When considering activities or possible disclosures that involve Personal Confidential Information, consider;
- Is this something already listed in our privacy materials?
- Is this something that the average individual would expect me to do?
- Would a reasonable person be ‘highly offended’ if I did this contacting them first?
- If the answer to any of the above questions is ‘yes, refer the activity to your Data Protection Officer who can assist with raising awareness.
- The concept of no surprises that we ask for consent every time we undertake activity with Personal Confidential Information.
Example:
We are required to disclosure information about a person that poses a threat to the public. We believe that making them aware of the disclosure could trigger the threat we are trying to manage. We do not tell the individual or obtain consent. However, we already note in our privacy materials that we will make these kinds of disclosures. The average, reasonably person expects these types of disclosures and would not be ‘highly offended’ at the concept of protecting the public. Therefore, there are “no surprises”.
- Informing individuals about how their information is used supports their human rights. We all have a right to feel a sense of control over our lives. Involving individuals through transparency and engagement supports this control and autonomy
- Take care to ensure that information is only shared with the appropriate people in appropriate circumstances
- Care must be taken to check there is a legal basis for disclosure before releasing it. The lawful basis will be recorded in the Information Sharing Agreement or Protocol.
- If it is possible, de-identify or anonymise the data before disclosure
- De-identifying or pseudonymising the data means removing any direct identifiers (name, email address) and possibly leaving a reference number or code ( i.e.NI Number, postcode). This is still personal data, but it reduces the risk.
- Anonymisation means removing any opportunity that the data could be linked back to a particular individual.
- When personal information is being shared routinely between our organisation and other organisations – the Information Sharing Protocols or Agreements mentioned above will support your sharing decisions and identify best practice.
- When you are required to share personal information for a ‘one off’ purpose, you should consider the potential benefits and risks, either to individuals or society, of sharing the data. You should also assess the likely results of not sharing the data and apply common sense.
- With any request to share Personal or Sensitive Personal Confidential Information outside of usual practice or outside of the country, always speak with the Data Protection Officer to confirm the approach.
- All routine sharing of Personal Confidential Information, with other organisations, should be covered by an Information Sharing document.
- When the sharing is between two Data Controllers for example;
- A GP practice and a hospital
- A company and their solicitor
there should an Information Sharing Agreement in place that identifies why and how information will be shared and the measures taken to protect it.
- Where the sharing is between Hopscotch Nurseries and a provider who is processing Personal Confidential Information on their behalf, there should be a Processing contract in place that meets with the requirements of GDPR Article 28 and s 59 DPA 2018.
- See Appendix D.
- Where a third party is not processing Personal Confidential Information on Hopscotch Nurseries’ behalf but may come in to contact with such data incidentally (such as a cleaner or contractor), they must have signed a confidentiality agreement.
- Secure or confidential operational environment exists when there is either a secure physical location or an agreed set of administration arrangements in place within Hopscotch Nurseries that ensure Personal Confidential Information is handled and shared safely and securely.
- It is a safeguard for privacy for all the stakeholders of Grilled Cheese. Any members of staff handling Personal Confidential Information, whether paper based or electronic must adhere to the principles of a secure / confidential environment. The guidelines below identify how Hopscotch Nurseries and Holiday Club maintains a SOE and so it is crucial that all staff are aware of and comply with this Procedure.
- A parent, staff member, member of the public or partner organisation may telephone us, for example to discuss an individual, report a problem or to access some information.
- Some people attempt to gain information from organisations illegally by deception.
- This practice is known as Voice Phishing or “blagging” and is part of an illegal trade in Personal Confidential Information. An individual with a legitimate request will be open about their activity and will not need to resort to Voice Phishing.
- You should not disclose any information unless you are sure they are the person they say they are and need access to the information as part of their job role or other legitimate need.
- If in any doubt, do not disclose the information and speak to the Information Governance Lead or Data Protection Officer.
- If a request for personal information is made by telephone, always satisfy yourself as to the identity of the caller by;
- Remember that even the fact that an individual is known to us is confidential. If in doubt, consult with your manager.
- In line with the ‘Need to know’ principle, Personal Confidential Information should only be released to individuals that have a genuine, identified business need.
- Don’t be coerced into giving out Personal Confidential Information. If in doubt, check with a senior member of staff.
- Do not talk about families or staff in public places or where you can be overheard
- Do not discuss families’ sensitive information with friends or colleagues. Remember, even if you omit names – someone may know that person
- Do not leave any records or confidential information lying around unattended
- Make sure that any computer screens, or other displays of confidential information i.e. whiteboards, cannot be seen by anyone who does not need to know. Ensure that screens are locked when away from your desk.
- Maintain a clear desk policy and undertake regular checks where possible to identify errors or potential breaches.
- Staff should not copy or amend existing letters – use a fresh template to avoid errors.
- High volume or bulky material must only be transported in approved boxes and never in dustbin sacks or other containers and must be locked away until collected by an approved carrier.
- Personal Confidential Information should always be labelled as Private & Confidential on the envelope and letters should be addressed to an individual rather than a team where possible.
- Always provide a return address and ensure the packaging is robust.
- Personal Confidential Information must be sent using a secure email service.
- If, for any reason this is not possible, it should be sent in a password protected spreadsheet, with the password being given to the recipient separately by phone.
- Always double check you are sending the email to the correct recipient.
- Regularly check / update your distribution list to ensure copies are not sent to staff who have left, moved to another service or no longer require the information
- Where possible, telephone the recipient of the e-mail to let them know you are going to send Personal Identifiable Information
- When emailing information to more than one individual, always use bcc so that their email addresses are not visible to one another.
- When printing Personal Confidential Information use the ‘locked print’ facility, where available. If not, be sure to retrieve from the printer promptly.
- Never leave Personal Confidential Information on the printer / photocopier
- If you find unclaimed personal information in the printer / photocopier, you must complete an information incident form.
- Clear your desk at the end of each day, keeping all portable records containing Personal Confidential Information in recognised filing and storage places that are locked at times when access is not directly controlled or supervised
- Paper records must always be kept locked away when unattended. This includes when the building is locked for the evening.
- Staff are strictly forbidden to access their own Personal Confidential Information unless specifically authorised to do so. This includes looking at your own HR files.
- Staff are forbidden to access any personal information relating to public figures, colleagues, friends or relatives unless they have a legitimate reason to do so as part of their employment responsibilities.
- Such activity would be a breach of the Computer Misuse Act 1990 and / or Data Protection legislation.
- If you wish to request a copy of your Personal Confidential Information refer to Information Access and Rights Procedure.
Compliance with this protocol will be audited and the results fed into the Plan, Do, Check, Act Cycle described in the Information Risk and Audit Protocol.
- Staff must confirm that they have read and understood this protocol
- This protocol will be reviewed annually or sooner in the event of significant learning or change
- This protocol should be read in conjunction with the other protocols in the Data Protection and Security policy suite
- Further relevant guidance can be found in the Disclosures and Access Protocol
What are the details of the sharing request (no personal data)?
Do you have a clear objective for disclosure? This will allow you to determine what needs to be shared and with whom.
What is the lawful basis under Data Protection legislation?
For example, public interest, court order, consent.
On what basis is the duty of confidentiality set aside?
For example, public interest, court order, the individually ‘reasonably expects’ such a disclosure
Does the disclosure represent a lawful interference with the individuals’ rights to privacy under the European Convention of Human Rights?
For example, it is lawful, it is in order to protect health and morals.
Identify the public interest factors for disclosure that outweigh the public interest in maintaining confidentiality.
For example, public interest in protecting individuals from harm, public interest in observing the rights of individuals to access their information, the public interest in prevention and detection of crime.
If the request is a subject access request made on or by the individual, please consult the Information Access and Rights Protocol.
Has a review been carried out to ensure that the minimum necessary data has been requested for the lawful purpose? Could any identifiers be removed?
Consider whether the individual has or will be notified about the disclosure. If this would prejudice the purpose in some way – document it here.
Consider the specific individual that the information should be disclosed to and ensure there is a ‘need to know’
Has a review been carried out to ensure that the information being requested is legitimate and necessary for the lawful purpose?
Consider the methods for sharing information in terms of their security and safeguards in place.
The countries where data may be transferred without additional assurances are:
AustriaBelgiumBulgariaCroatiaCyprusCzech RepublicDenmarkEstoniaFinlandFrance
GermanyGreeceHungaryIcelandIrelandItalyLatviaLiechtensteinLithuaniaLuxembourg
MaltaNetherlandsNorway PolandPortugalRomaniaSlovakiaSloveniaSpainSwedenUnited Kingdom
The following also have an adequate level of protection for personal data
AndorraArgentinaFaroe Islands
GuernseyIsle of ManIsraelJapanJersey
New ZealandSwitzerlandUruguay
In line with the requirements of GDPR Article 28 and s 59 DPA 2018, this contract allows Grilled Cheese to review the contracts in place with Data Processors and ensure they are compliant.
This checklist serves as a first part of the process towards confirming that a contract contains the relevant terms and conditions to allocate Data Protection responsibility and to ensure that appropriate controls are in place to protect Personal Confidential Information
In line with Data Protection Act 2018, the Data Processor acts only on the instruction of the Data Controller, and this MUST be under a legally enforceable contract.
Synopsis of use of information and types of information used:
Date Checklist Completed:
Senior Responsible Owner:
If possible, please attach or provide a map of data flows, i.e. where information will travel from and to, and what the information might contain
Is the processor required to provide, on request evidence that they have implemented appropriate technical and organisational measures to protect personal data including storage and transmission of data, business continuity, staff training, auditing, access control and Cyber security?
Does the contract state that the processor shall not engage another processor without prior specific or general written authorisation of the controller?
Does the contract set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller?
Does the contract stipulate that the Processor processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by law and in those cases will notify the Controller?
Does the contract state that all staff employed by the processor have contracts that include confidentiality clauses and that Personal Data will not be shared with third party unless required to do so by law?
Does the contract require the Processor to assist the Controller to respond to requests for exercising the data subject's rights i.e. access to information, correction of errors?
Does the contract require the Processor to assist the Controller in reporting information incidents promptly including where it might be required to contact the data subject?
Does the contract state what should happen to the data at the end of the contract or in the event of termination such as return of the data or secure destruction?
Does the contract require the Processor to allow for a comply with audits including inspections conducted by the Controller or a third party engaged by the Controller?